| ▲ | spunker540 2 hours ago |
| I’m just a swe, but I kinda thought cyber is a good place to be, since the proliferation of insecure vibecoded apps. |
|
| ▲ | 827a 2 hours ago | parent | next [-] |
| Companies have never cared about security, because there are almost no consequences to data breaches. A hospital network could get ransomwared for 48 hours, and no one cares. Critical data gets leaked? So what, pay a fine. You either pay a fine to the hackers, or you pay a fine to the government, or you pay a fine to customers, but no matter what its substantially less than a fully staffed security team, not just because security professionals are expensive, but because security professionals slow everything else down, they'll spend all day telling everyone what they can't do, which == lost revenue growth. The only thing keeping security companies in the business is compliance/certification. If you've been around these compliance programs for long enough you know: they're box-checkers. But, sometimes you need to check that box, begrudgingly, annoyingly, so most companies will prefer to just outsource that security work to some managed security services provider, then think about it once a year when audit time comes around. |
|
| ▲ | bpt3 an hour ago | parent | prev | next [-] |
| What is a cybersecurity professional going to do about a bunch of vulnerabilities in an app that someone else decided to deploy on a network they are responsible for? 99% of cybersecurity in the commercial sector is a box checking compliance exercise. |
|
| ▲ | rfgplk 2 hours ago | parent | prev | next [-] |
| Most companies sadly don't care about security whatsoever. |
| |
| ▲ | delfinom 2 hours ago | parent [-] | | Yep, I think my megacorp's cybersecurity department is just a bunch of checklist punchers that now just copy and paste any of our technical writeups into ChatGPT, and I am not even joking. Fucking infuriating. They are doing the bare minimum for cybersecurity insurance requirements, thats it. | | |
| ▲ | rfgplk 2 hours ago | parent | next [-] | | I know _for a fact_ that most companies don't care. There might be a select few out there that genuinely do, but most don't. I've literally reported numerous GLARING vulnerabilities to companies in various different industries, only for the vulnerabilities to remain unpatched for MONTHS. Few of the most comical examples, one major game studio was compiling their Linux binaries with FULL DEBUG SYMBOLS AND INFO plus they were shipping a 600M .sym file with practically full paths and all source info. Literally all the paths and function signatures to every single one of their functions was in there. I had to submit FOUR bug reports before they patched it (didn't even receive a bug bounty). The second one was with a major multinational telecom that was distributing routers that _had an open telnet port to the wide internet_ ... with a default password. And there were countless more. The telecom one I had to BEG them to ship me a new router, or to at least do an over the air update, because "they didn't understand what the problem was". | | |
| ▲ | nradov 32 minutes ago | parent [-] | | Shipping debug symbols isn't a security vulnerability. It might be sloppy, but we all know that security through obscurity doesn't work. Especially not with modern analysis tools and access to the executable code. |
| |
| ▲ | zdragnar 2 hours ago | parent | prev [-] | | That's what it means to be a cost center. Anything over the minimum translates to wasted effort and inefficiency. |
|
|
|
| ▲ | wizzwizz4 2 hours ago | parent | prev [-] |
| There would not be such a proliferation if cybersecurity were a well-respected field. |
